FCC asks carriers to step up to stop SIM swapping, port-out fraud

The US federal agency puts pressure on telecom carriers to put better authentication, account protection safeguards in place.

endpoint security hacker vulnerablility secure mobile security app
Thinkstock

Last week the Federal Communications Commission (FCC) put out for comment its first set of consumer cybersecurity protection rules under the Biden administration. These proposed rules address the growing scourge of so-called SIM swapping and port-out fraud.  

These scams exploit the fact that many businesses and organizations use cell phones to identify individuals for a host of accounts aside from mobile phone service. Among the accounts that use cell phones number for identification are e-mail, social media, banking, cryptocurrency exchanges, and online retail outlets, to name just a few of the kinds of accounts that criminal actors can compromise.

SIM (subscriber identity module) cards allow carriers to identify individual users once inserted in a device. Mobile phone owners can typically switch carriers and keep their own devices by simply swapping out SIM cards.

In issuing its Notice of Proposed Rulemaking (NPRM), the FCC said it "has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud." As Senator Ron Wyden said in a letter he and his colleagues sent to the FCC last year urging the agency to address SIM swapping, fraudsters use SIM swapping to "get wireless carriers to transfer the cell phone accounts of victims to them, steal their login credentials and then empty their victims' bank accounts."

Port-out fraud is similar. A port-out scheme entails exploiting customer requests to have their number "ported" from one carrier to another. As the Commission explains in its NPRM, "When a bad actor successfully impersonates the customer of a wireless carrier and convinces the carrier to port the real customer's telephone number to a new service provider and a device that the bad actor controls, the bad actor gains control over the customer's phone number and can intercept both text messages and phone calls intended for the victim."

Recently disclosed massive data breaches may make both of these kinds of identity attacks far easier to pull off. As a result, the FCC said it is taking "aim at these scams, with the goal of foreclosing the opportunistic ways in which bad actors take over consumers' cell phone accounts and proactively addressing the risk of follow-on attacks using stolen data, so as to mitigate the risk of additional consumer harm from recent data breaches."

The proposed regulations 

After concluding that its existing regulations are insufficient to police this kind of activity, the FCC has proposed a series of new regulations to achieve that foreclosure:

  1. Require carriers to adopt secure authenticating methods before redirecting a customer's phone number to a new device or carrier. Based on research conducted at Princeton University, the FCC defines sufficiently secure methods as: 
    • Use of a pre-established password
    • A one-time passcode sent via text message to the account phone number or a pre-registered backup number
    • A one-time passcode sent via email to the email address associated with the account
    • A passcode sent using a voice call to the account phone number or a pre-registered backup telephone number
  1. Require providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.
  2. Prohibit wireless carriers from effectuating a SIM swap unless the carrier uses a secure method of authenticating its customer.
  3. Require wireless carriers to develop procedures for responding to failed authentication attempts and immediately notify customers of any SIM change requests.
  4. Require all wireless providers, including resellers, to offer customers the option to place a "port-freeze" on their accounts at no cost to the customer to help deter port-out fraud.

The Commission also asks a series of relevant questions, including whether it should impose customer service, training, and transparency requirements on mobile carriers specifically focused on preventing SIM swap fraud. According to anecdotal evidence gathered by the agency, customer service representatives are not currently trained on procedures to deal with customers who have been victims of SIM swap fraud.

The FCC further asks whether it should require carriers to comply with the NIST Digital Identity Guidelines as a means of "future proofing" authentication. Those guidelines provide technical requirements for federal agencies that implement digital identity services.

Finally, the FCC asks whether it should amend its carrier requirements regarding backup authentication methods for lost or forgotten passwords. Those rules require carriers to authenticate customers without asking for readily available biographical information or account information to establish the password.

FCC no longer MIA on consumer protection

"I think that it's a good thing," Harold Feld, senior vice president of Public Knowledge, tells CSO. "It's frankly the kind of thing we like to see the FCC do. A new scam comes on the scene, and the FCC acts as the cop on the beat to require wireless companies to take necessary precautions. That's how it should be."

This rulemaking also returns the FCC to its previous role as consumer protection advocate. "For four years under Trump, the FCC was missing in action as a consumer protection agency," Feld said. "So, this is a very ‘welcome back’ to the FCC on protecting consumers and being involved in privacy and cybersecurity again."

Mobile carriers are surprisingly silent on the FCC's rulemaking, which was announced at the Commission's September 30 meeting. For example, US Telecom did not respond to a request for comment, although it issued statements relevant to other items on the FCC's agenda that day. CTIA, the primary wireless communications trade association, and several carriers contacted by CSO, likewise did not respond to requests for comments.

"Companies tend to kick. They're always like, 'We can handle this just fine, and we don't need rules,'" Feld says. But, "it's better really for everyone to have the FCC set the rules than to have companies trying to figure all this out on their own. People get mad at them for not letting them recover their passwords, or they get mad at them because people hijack their phones."

"This is exactly the kind of thing we want an expert federal agency to come in and say, 'Yeah, okay you know what? Maybe you think that what you're doing is okay, but we're hearing from a lot of people that it's not okay. So, we're going to make you up your game.’”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline